A critical security flaw, codenamed Cellbreak and tracked as CVE-2026-24002, has been disclosed in Grist-Core, an open-source relational spreadsheet-database. This vulnerability could allow for remote code execution, turning a spreadsheet into a significant security risk, according to a recent report by The Hacker News.Discovered by Vladimir Tokarev, the Cellbreak vulnerability (CVSS score: 9.1) is a Pyodide sandbox escape. It allows malicious formulas to execute OS commands or run host-runtime JavaScript, collapsing the boundary between cell logic and host execution. The flaw stems from Grist's Python formula execution within Pyodide, which uses a blocklist approach that can be bypassed. This enables attackers to escape the sandbox, gain filesystem access, expose secrets, and potentially access database credentials and API keys.The vulnerability has been addressed in Grist version 1.7.9, released on January 9, 2026. Grist has moved Pyodide formula execution under the Deno JavaScript runtime by default, but users should avoid the GRIST_PYODIDE_SKIP_DENO setting if untrusted formulas are used.Source: The Hacker News
Vulnerability Management, Patch/Configuration Management
Critical ‘Cellbreak’ vulnerability in Grist-Core allows remote code execution

Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



